Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Macro expansion via SPL/REST

paulcurry
Path Finder
‎08-21-2023 08:09 AM

I have a search that returns all of my correlation searches for a given app.  

| rest splunk_server=local count=0 /services/saved/searches
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]")
| rename eai:acl.app as app, title as csearch_name, action.correlationsearch.label as csearch_label, action.notable.param.security_domain as security_domain
| search app=my_app 
| table csearch_name, csearch_label, app, security_domain, qualifiedSearch, description

 

This works fine and gives the desired output.  However, I would like to add a line in there that would automatically expand any macros in the qualifiedSearch field.

e.g.

search `azuread` "body.operationName"="Add member to role"

but return: 
search sourcetype=mscs:azure:eventhub "body.operationName"="Add member to role"

 

Is there a lookup or macroExpand function that I could add to my SPL to do this?

Labels (2)
Labels
Tags (3)
0 Karma
Reply

dtburrows3
Builder
‎01-08-2024 04:58 PM

I also was looking for something that did this for a really long time and could never find anything. 
I know about the CMD+SHIFT+E to expand macros on the UI but needed the same functionality inline in a search to use for meta-analysis (breaking down SPL to its components and analyzing).

I feel like there is some way of doing this that exists somewhere but have not had much luck finding it. 
So went ahead and tried making a custom command to do it and it actually seems to work out pretty well.
I do want to note that this custom command is recursive in a sense that it expands the macros all the way down. Meaning that if there are nested macros that this will expand the nested ones as well all the way unil there are no more macros to expand. So end result should be a fully detailed SPL that is being executed. It will also replace the input args with the values it finds in the input field so it will also return that SPL that would run for that specific search with the given arguments.
You can see an example of the output here (this particular example is derived from a dashboard, so input arguments are still tokenized and will be represented as such in the "expanded_spl" field):

dtburrows3_0-1704761420227.png

If you are still interested in this than you can give this a try, I think it will require entries in a commands.conf, searchbnf.conf metadata/local.meta and a custom python script in bin/

There is also a dependency on Splunk Python SDK.

Send me a message and I can get it packed up in a custom app to share if you still are needing this functionality.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...